From 0cf865f0254f33fba312a9342c635b7300ea0291 Mon Sep 17 00:00:00 2001
From: Lain Soykaf <lain@lain.com>
Date: Tue, 12 May 2026 23:50:30 +0400
Subject: [PATCH] Reject third-party remote reports

---
 changelog.d/reject-third-party-reports.fix      |  1 +
 lib/pleroma/web/activity_pub/transmogrifier.ex  |  7 +++++++
 .../web/activity_pub/transmogrifier_test.exs    | 17 +++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 changelog.d/reject-third-party-reports.fix

diff --git a/changelog.d/reject-third-party-reports.fix b/changelog.d/reject-third-party-reports.fix
new file mode 100644
index 000000000..7d4e87b94
--- /dev/null
+++ b/changelog.d/reject-third-party-reports.fix
@@ -0,0 +1 @@
+Reject incoming reports when both the reporter and reported account are remote
diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex
index 4421da26c..261272d08 100644
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@@ -430,6 +430,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
     end)
   end
 
+  defp reject_third_party_report(%User{local: false}, %User{local: false} = account) do
+    {:reject, "[Transmogrifier] third-party report: #{account.ap_id}"}
+  end
+
+  defp reject_third_party_report(_, _), do: :ok
+
   def handle_incoming(data, options \\ []) do
     data
     |> fix_recursive(&strip_internal_fields/1)
@@ -447,6 +453,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
          %User{} = actor <- User.get_cached_by_ap_id(actor),
          # Reduce the object list to find the reported user.
          %User{} = account <- get_reported(objects),
+         :ok <- reject_third_party_report(actor, account),
          # Remove the reported user from the object list.
          statuses <- Enum.filter(objects, fn ap_id -> ap_id != account.ap_id end) do
       %{
diff --git a/test/pleroma/web/activity_pub/transmogrifier_test.exs b/test/pleroma/web/activity_pub/transmogrifier_test.exs
index c1e01557d..b20f15cbd 100644
--- a/test/pleroma/web/activity_pub/transmogrifier_test.exs
+++ b/test/pleroma/web/activity_pub/transmogrifier_test.exs
@@ -86,6 +86,23 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       assert activity.data["cc"] == [user.ap_id]
     end
 
+    test "it rejects Flag activities when both reporter and reported account are remote" do
+      reporter = insert(:user, local: false, domain: "mastodon.cat")
+      reported = insert(:user, local: false, domain: "nicecrew.digital")
+
+      message = %{
+        "@context" => "https://www.w3.org/ns/activitystreams",
+        "actor" => reporter.ap_id,
+        "content" => "blocked AND reported!!!",
+        "object" => [reported.ap_id, "https://nicecrew.digital/objects/report-status"],
+        "type" => "Flag"
+      }
+
+      assert {:reject, reason} = Transmogrifier.handle_incoming(message)
+      assert reason =~ "third-party report"
+      refute "Flag" |> Pleroma.Activity.Queries.by_type() |> Pleroma.Repo.one()
+    end
+
     test "it accepts Move activities" do
       old_user = insert(:user)
       new_user = insert(:user)